How a website flaw turned 22,000 visitors into a botnet of DDoS zombies

Researchers have uncovered a recent denial-of-service attack that employed an unusual, if not unprecedented, technique to surreptitiously cause thousands of everyday Internet users to bombard the target with a massive amount of junk traffic.

The attack worked by exploiting a Web application vulnerability on one of the biggest and most popular video sites on the Web, according to a blog post published recently by researchers at security firm Incapsula, which declined to identify the site by name. Malicious JavaScript embedded inside the image icons of accounts created by the attackers caused anyone viewing the users' posts to run attack code that instructed their browser to send one Web request per second to the DoS victim. In all, the technique caused 22,000 ordinary Web users to unwittingly flood the target with 20 million GET requests.

"Obviously one request per second is not a lot," Incapsula researchers Ronen Atias and Ofer Gayer wrote. "However, when dealing with video content of 10, 20, and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos."

The novel attack was made possible by the presence of a persistent cross-site scripting (XSS) vulnerability in the video site, which Incapsula didn't identify except to say it fell in the Alexa top 50 list. XSS exploits effectively allow attackers to store malicious JavaScript on a website that gets invoked each time someone visits. The booby-trapped user icons contained an iframe tag that pulled malicious instructions off an attacker-controlled command and control server. The malicious instructions caused browsers to surreptitiously flood the DDoS target with an unusually high number of GET requests. Incapsula was able to mitigate the effects of the attack using a combination of progressive challenges and behavior-based security algorithms.

Remember the Samy Worm?

The attack is only the latest to harness the tremendous power of XSS vulnerabilities. The technique came into vogue in 2005 with the advent of the Samy worm. Named after its creator, a hacker named Samy Kamkar, the XSS exploit knocked MySpace out of commission for a day by forcing anyone who viewed his profile to become a MySpace friend. In less than 24 hours, Kamkar, who later served time in jail for the stunt, gained more than one million followers.

"The nature and beauty of persistent XSS is that the attacker doesn't need to target specific users," Matt Johansen, senior manager of Whitehat Security's threat research center, told Ars. "The malicious JavaScript is stored on the website and replayed to anybody who visits this in the future. This particular JavaScript forced each browser that was running it to make a request in one-second intervals."

Last year, Johansen and other colleagues from Whitehat Security demonstrated a proof-of-concept ad network that created a browser-based botnet using a technique that's similar to the one Incapsula observed exploiting the XSS weakness.

"The delivery mechanism [in the Incapsula-observed attack] was different as it was from persistent XSS in the site instead of an ad network," Johansen explained. "The only difference there was how the malicious JavaScript was rendered in the user's (bot's) browser. The code that is quoted in the [Incapsula] article is using a very similar technique to the code we wrote for our talk. Instead of using (image) tags like we did, this attacker is using tags which then make one request per second. We were just loading as many images as possible in the time our JavaScript was running."

Incapsula's finding underscores the constantly evolving nature of online attacks. It also demonstrates how a single weakness on one party's website can have powerful consequences for the Internet at large, even for those who don't visit or otherwise interact with the buggy application.